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Abstract — A method is described which aUows to evaluate 
efficiently a polynomial in a (possibly trivial) extension of 
the finite field of its coefficients. Its complexity is shown 
to be lower than that of standard techniques when the 
degree of the polynomial is large with respect to the base 
field. Applications to the syndrome computation in the 
decoding of cyclic codes, Reed-Solomon codes in particular, 
are highlighted. 
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I. Introduction 

Standard algorithms for decoding Reed-Solomon and 
BCH codes such as the Peterson-Gorenstein-Zierler algo- 
rithm involve the evaluation of pol5momials at several 
steps. In particular instances the complexity of the algo- 
rithms are even dominated by that task (3l- li^ this paper 
we propose a new method to perform the evaluation 
efficiently. 

The standard technique to evaluate polynomials over 
a field is Horner's rule (e.g. [iSJ p.467]), which com- 
putes the value P{a) for a polynomial P{x) = a„a;" + 
a„_ix"~^ • • • + ao in an iterative way as suggested by the 
following description 

(• • • ((a„a + a„_i)Q: + a„_2)a + ■ ■ ■)a + ai)a + qq . 

This method requires n multiplications and n additions. 
In the following we describe another method to evaluate 
polynomials with coefficients over a finite field 
and we estimate its complexity. For that we consider, 
as is customary, just the number of multiplications, as 
in GF{2"') to multiply is more expensive than to add: 
the cost of an addition is 0(m) in space and 1 clock 
in time, while the cost of a multiplication is O(m^) in 



space and 0(log2 m) in time ||2l. We keep track of the 
number of additions, too, to be sure that a reduction in 
the number of multiplications does not come together 
with an exorbitant increase in the number of additions. 

Our approach exploits the Frobenius automorphism 
and its group properties, therefore we call it polynomial 
automorphic evaluation. 

II. Polynomial automorphic evaluation 

Consider a finite field GF{q) of cardinality q — p™-, p a 
prime, a polynomial P{x) of degree n, and let a denote 
an element of GF{q). We write P{x) as 

Po{xP) + xPi{xP)---+xP-^Pp.i{xP) , 

where Po{xP) collects the powers of x with exponent a 
multiple of p and in general x'^Pi{xP) collects the powers 
of the form x^-p^*, with a G N and < i < p— 1 (see some 
examples in the following remarks). 

If a is the Frobenius automorphism of GF{p™) map- 
ping a to aP, we can write the expression above as 

p,\x)p + xP{\xY ■■■ + xP-'p;\{xY , 

where P^^{x) stands for the polynomial obtained from 
Pi{x) by substituting its coefficients with their trans- 
forms through a^^ , for any k in the set {1, . . . , m}. Notice 
that the polynomials P^^{x) have degree at most 
We can take the exponent out of the brackets as the field 
has characteristic p. 

P{a) for a particular value a can be then obtained 
from {P^^{a)} by making p p-th powers, p—l multipli- 
cations and p — I sums. 

The procedure can be iterated until the polynomials 
we obtain have small degree: at each step the number 
of polynomials is multiplied by p and their degree is 
divided roughly by p. For each step we have to compute 
N p-th powers, where N is the number of pol5momials at 
that step, while additions and multiplications are slightly 
less, as computed below. 
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If we perform L steps, we have polynomials of 
degree nearly ^ and the total cost of evaluating P{a) 
comprehends the following: 

• Evaluation of polynomials of degree ^ in a 

• Computation oi p + + ■ ■ ■ + = ^ p-i^ P'^^ 
powers. 

• Computation of p — 1 + {p^ ~ p) + ■ ■ ■ + p^ — p 
p^ — 1 multiplications by powers of a. 

• Computation of p — 1 + {p^ — p) + ■ ■ ■ + p^ — p 
p^ — 1 additions. 

• Computation of the coefficients of the polynomi- 
als through (T^^; the number of coefficients is the 
same as the number of coefficients of P{x), that is 
at most 71 + 1, which would possibly imply too many 
multiplications. However, we can spare a lot, if we 
do the following: we evaluate the polynomials in 
(7^ (a) and then we apply a^^ to the outputs. So we 
need to apply powers of tr a number of times not 
greater than p^ + 1. Notice also that what matters 
in cr^ is L modulo m because cr™ is the identity 
automorphism. 

So all together we would like to minimize the follow- 
ing number of multiplications: 



G(L) = 2Llog,pJ ^''^' - 1+ 

p- 1 

2Llog2pJ(m-l)(p^ + l) + 4(p"-l) 

p^ 



where 2[log2pJ refers to a p-th power made by succes- 
sive squaring (this upper bound is substituted by 1 when 
p is 2), the automorphism ct^ counts like a power with 
exponent p^, with L < m — 1, and ^ are the powers 
of a we need to compute, while p™ — 1 are all their 
possible nonzero coefficients. Once we have the powers 
of a multiplied by the possible coefficients, we actually 
need also to compute at most n additions to get the value 
of the polynomials. 

Since G{L) is a sum of two positive functions, the 
first monotonically decreasing and the second increasing 
with L, the minimum of G{L), considered as a continu- 
ous function of L, is unique. A very good estimation 
of the minimum is then obtained by computing the 
derivative of G{L) with respect to L, so that the optimum 
L is roughly 




The corresponding minimum can be written as 

2v/n(p'« - 1)^1 + 2Llog2Pj(m - 1 + 

2Llog,pJ(.n-l)-l-fef> . (2) 

p- 1 

This brings a total cost less than n (Horner's cost) 
whenever p™ is not too big with respect to n. 

a) Remark 1.: If the coefficients are known to belong 
to GF{p), then the total cost is at most 

2Llog2Pj^^^^^+P^-l + 4(p-l) , 
p — 1 p^ 

since cr does not change the coefficients in this case. Then 
the best value for L is approximately 




and the total cost becomes even more appealing, in 
particular when p = 2 it is less than 2\/3ri. 

In this case every step is very straightforward: the 
decomposition of a polynomial P{x) as a sum of two 
polynomials by collecting odd and even powers of x is 

P{x) = Po{x^) + xPi{x^) ^ Po{xf + xPi{xf . 

Actually this case happens often in coding theory ||6], 
in particular in the computation of syndromes for a 
binary code. In this situation we can have as additional 
advantage the possibility of precomputing the powers 
of a, since what is usually needed is to evaluate a 
polynomial in several powers of a particular value a. 

b) Remark 2.: Similarly, if the coefficients belong to 
GF{p''-) for a divisor d of m, then the total cost is at most 

2Llog2pJ^^^^^+p^-l 

p- 1 

+ 2Llog2Pj(d-l)(p^ + l) + 4(p'^-l) . 

p^ 

And the best value for L is 




2Llog2Pj(d-l + ^)^ 



log2 " 



which is the 

2 P 



2Llog2Pj(™-l + ^)^ 



(1) 



c) Remark 3.: If p™ ss n, i.e. m 
case of the Reed-Solomon codes, the proposed method 
does not seem to give any advantage as the complexity 
is approximately 2n-^2 log2 n > n by Equation ^ . 
However, if m is not prime, then a gain is still possible, 
by using the previous remarks. Let us show an example 
below. Suppose m is even. Then the elements of the 
field GF{p™') can be represented in the form a + b(3, 
where a, 6 G GF{p"^^^) and /3 is a root of a quadratic 



polynomial irreducible over GF{p"'l^). Therefore, the 
polynomial p{x) with coefficients in GF{p"^) can be 
written as a sum pi{x) + (ip2{x) where both pi{x) and 
P2{x) have coefficients in GF{p"^^^): if we evaluate these 
two polynomials using the proposed algorithm, the cost 
for each evaluation is 

2x/npW2 /i + 2[log2pJ (m/2 - 1 + 

V 1 

+ 2Llog,pJW2-l)-l~^ii^ , 

p-1 

and to get the total cost we multiply by 2. For example, 
if p = 2 and 2™ « n, the total cost is approximately 
2^2 v^^\/log2 n, a figure significantly less than n when 
m > 12. 

d) Remark 4.: Given the importance of cyclic codes 
over GF(2™), for instance the Reed-Solomon codes that 
are used in any CD rom, or the famous Reed-Solomon 
code [255,223,33] over GF{2^) used by NASA ([7J), 
an efficient evaluation of polynomials over GF{2"^) in 
points of the same field is of the greatest interest. 

In the previous remarks, we have shown that non- 
trivial gains are possible, however, in particular scenarios 
an additional gain can be obtained by choosing L as 
a factor of m which is close to the value obtained 
in equation together with some arrangements as 
explained below. 

The idea will be illustrated considering the decoding 
of the above mentioned Reed-Solomon code. We will 
only show how to obtain the 32 S5rndromes; the de- 
coding is done from that point on using the standard 
Berlekamp-Massey algorithm, the Chien search to locate 
the errors, and the Forney algorithm to compute the 
error magnitudes fl]. 

Let r{x) — X]?=o ^ GF{2^), be a received code 

word of a Reed Solomon code [255, 223, 33] generated by 
the polynomial g{x) — Yii^ii^ " '^^)' with a a primitive 
element of GF{2^), i.e. a root oi x^ + x'-^ + x^ + x + 1. 
Our aim is to evaluate the syndromes Sj = r{a^), j = 
1,...,32. 

We can argue in the following way. The power /3 — a^^ 
is a primitive element of the subfield GF{2'^), it is a root 
of the polynomial x"^ + x^ + 1, and has trace 1 in GF{2^). 
Therefore, a root 7 of + z + /3 is not in GF{2'^) (see fH 
Corollary 3.79, p.ll8]), but it is an element of GF{2^), 
and every element of GF{2^) can be written as a + 67 
with a,b G GF{2'^). Consequently, we can write r{x) ~ 
ri{x)+^r2{x) as a sum of two polynomials over GF{2'^), 
evaluate each ri{x) in the roots of g{x), and obtain 
each syndrome Sj — r{a^) — ri{a^) + ^r2{a^) with 1 
multiplication and 1 sum. 

Now, following our proposed scheme, if p{x) is either 



ri{x) or r2{x), in order to evaluate p{a-') we consider the 
decomposition 

p{x) = (po +P2X^ ^P25iX^'^'^Y 

+ X{pi + p^X + ■ ■ ■ + p25ZX^'^'^f , 

where we have not changed the coefficients computing 
a^^ for each of them, as a convenient Frobenius auto- 
morphism will come into play later. Now, each of the 
two parts can be decomposed again into the sum of two 
polynomials of degree at most 63, for instance 

1 27 

Po +P2X H Vp2biX 

^ {PO + PiX + ■ ■ ■ + p252X^^f 

+ X{p2 + PqX H h P25'lX^^)'^ 

and at this stage we have four polynomials to be 
evaluated. The next two steps double the number of 
polynomials and half their degrees; we write just one 
polynomial per each stage as an example 

Po +P4:X-\ ^P252X^^ 

= {po +Pax H ^P24:ax^^f 

+ x(pi + P12X H h P252X^^f 

Po +PsX-\ ^P2i8X^^ 

= (Po + Pwx H h P24ax^^)'^ 

+ x{ps + P24X H h P24.8X^^f 

Since we choose to stop the decomposition at this 
stage, we have to evaluate 16 polynomials of degree at 
most 15 with coefficients in GF (16), but before doing 
this computation we should perform the inverse Frobe- 
nius automorphism a^^ on the coefficients, however 
'^^^{Pi) = Pi because the coefficients are in 6*^(16) and 
any element (3 in this field satisfies the condition /3 = j3. 

Now, let K be the number of code words to be 
decoded. It is convenient to compute only once the 
following field elements: 

> a*, i = 2, . . . , 254 and this requires 253 multiplica- 
tions; 

. a' • for i = 0, . . . , 254 and j = 1, . . . , 14, which 
requires 255 • 14 = 3570 multiplications. 
Then only sums (that can be performed in parallel) are 
required to evaluate 16 polynomials of degree 15 for 
each , j = 1 . . . , 32. Once we have the values of these 
polynomials, in order to reconstruct each of ri(a^) and 
r2{a^), we need 

. 16 + 8 + 4 + 2 squares 

• 8 + 4 + 2 + 1 multiplications (and the same number 
of sums). 



Siirnming up, every r{a^) = ri{a^) +jr2{a^) is obtained 
with 2 • 45 + 1 = 91 multiplications. Then the total cost 
of the computation of 32 syndromes drops down from 
31 + 32 • 254 = 8159 with Homer's rule to 32 • 91 + 3570 + 
253 = 6735. Since we have K code words the total cost 
drops from 31 + 8128 • K to 3823 + 2912 • K, with two 
further advantages: 

- many operations can be parallelized, so that the 
speed is further increased; 

- the multiplications can be performed in G'F(2**) 
instead of GF{2^), if we write = aj+^bj-, the niraiber 
of multiplications could increase but their speed would 
be much faster. 

Clearly, these decoding schemes can be generalized for 
cyclic codes over any GF{p™) with m not prime. 
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